Netgate Store

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - 21hertz

Pages: [1]
1
Still seems to be a problem. Just tried to virtualize a machine and it seems like all the VMX interfaces (8 of them) are randomized...

Will try e1000 instead now.


2
You didn't mention you were running a double NAT and had multiple interfaces with the same gateway. If you had a wan with a public IP and multiple IPs on the subnet, the instructions I gave would work fine. I doubt if anyone is going to be able help you running a strange config like that. What is the purpose of having multiple interfaces going to the same gateway? AFAIK, you still can't run multiple routing tables in pfSense.

Sorry, IP-adresses were just an example, not using double NAT.

Anyways, I got this figured out now. I got side-tracked with proxyarp, which is not necessary in this case.

How I solved it?
- Just added more WAN IP's as Virtual IP's with Type Alias (as they can be on the same subnet as the physical WAN).
- Added these Virtual IP's and also the physical WAN IP as an alias group ("ALL_WAN_IPs").
- Added PAT-rule using the "ALL_WAN_IPs" alias. With Round Robin with Sticky Address.


It seems to be pseudo-sticky though. Clients uses different WAN IP's on different connections. My understanding of Sticky Address was that it uses the same WAN IP for the all connections based on the source (client) IP.

One thing that I still don't understand is that the clients never seems use the physical IP-address from the WAN interface, even though it's included in the Host Alias "group".


3
If you want to point your outbound NAT to a pool, you need to create an alias of hosts, consisting of the public ips you want in the pool. Then use manual outbound nat and change the translation address to the alias. You will be presented with options for the pool. You can also enter a subnet directly, but I haven't tried that method.

Yes, but I don't think I can do that since all the WAN IP's we got are on the same subnet using the same gateway. And its not possible in pfSense to add multiple IP's that are on same subnet even though they are on different interfaces. If you try to add another interface using an IP that are on the same subnet on existing interface, you will get this error message: The following input errors were detected: "IPv4 address 10.1.1.170/28 is being used by or overlaps with: WAN (10.1.1.168/28)."

I tried to setup this using Virtual IPs with ProxyARP but still not sure if that is the way to go since it it rises other questions, like multiple IP's showing up with the same MAC-address (our ARP spoofing surveillance is triggered by this).


4
Hey,

The number of users in one of our networks have increased to over 6000 concurrent clients.
We're using Manual Outbound NAT on one WAN IP-address to NAT all these clients at the moment (internal traffic is not NAT:ed though) and of course this will become a problem when there aren't enough ports left to use.

We already got a few more unused IP-adresses on the WAN subnet, routed by another router, which I'm ready to setup.

Since it is not possible to have multiple WAN-adresses that share the same gateway/subnet, I have to use Virtual IPs I guess.

I'm not sure how to setup this. I've added two Virtual IP's with Proxy ARP, from the same subnet as the WAN (one of them being the same IP as the WAN IP).

Now, under the NAT Outbound rules, I want to add a "PAT rule" to match all my LANs to my virtual IPs.
But I can only choose ONE virtual IP when configuring Translation, and no way to configure a group of "Virtual IPs"?
And If I add a whole network/subnet with IP-adresses as a Virtual IP, I guess pfSense will try to use all IP-adresses on that subnet even though I only want to use a few IP's from that WAN subnet, not all IP's from the whole subnet.

I must be missing something here..

Edit: re-phrased my questions.

5
Messages from the pfSense Team / Re: pfSense 2.4.0-RELEASE Now Available!
« on: October 19, 2017, 05:01:31 am »
Just updated our testmachine to 2.4.0, running on ESXi 5.5.0. No crash here. The vmware-guestd service didn't automatically start though for some reason.


6
We got 3 different rsyslog-servers, 1 running on OpenBSD and 2 on Linux. pfSense is sending all its logs to these three servers ("Everything").

We are getting more logging since updating to 2.3.1 and nginx is the source of this (about 500 MByte per day extra). Nginx does not log to our syslog-servers in the same way as the rest of the logs (Everything, System/Firewall etc). We are not using any extra packages except NRPE and VMware-tools.

When logging to external rsyslog-servers Nginx creates a new hostname source, in our case adding our domain.tld after hostname (which becomes destination directory/filename in our rsyslog).

You can see what I mean here, a directory listing one of our syslog-servers:
Code: [Select]
drwxr-xr-x    2 loguser      staff   24064 Jun  1 00:00 my-pfsense                      <--- all logs from pfsense except nginx logs.
drwx------    2 loguser      staff     512 Jun  1 00:00 my-pfsense.mydomain.tld          <--- nginx logs appear in here, nginx logs added "mydomain.ltd".
drwxr-xr-x    2 loguser      staff   31232 Jun  1 00:00 my-pfsense-02                   <--- all logs from pfsense except nginx logs.
drwx------    2 loguser      staff     512 May 29 22:55 my-pfsense-02.mydomain.tld      <--- nginx logs appear in here, nginx logs added "mydomain.ltd".

Here is an example of what the nginx-log file contains:

Code: [Select]
# tail 2016-06-01_my-pfsense.mydomain.tld.log
2016-06-01T12:37:31+02:00 my-pfsense.mydomain.tld nginx: 10.x.3.77 - [ANONYMIZED@somedomain.tld] [01/Jun/2016:12:37:31 +0200] "POST /Microsoft-Server-ActiveSync?User=[ANONYMIZED@somedomain.tld]&DeviceId=SIVSUP0CTD1D35QNSM4EF9J64C&DeviceType=iPhone&Cmd=Sync HTTP/1.1" 302 5 "-" "Apple-iPhone5C4/1306.69"
2016-06-01T12:37:31+02:00 my-pfsense.mydomain.tld nginx: 10.x.0.220 - - [01/Jun/2016:12:37:31 +0200] "GET /index.php?zone=cpwifise&redirurl=http%3A%2F%2Fofficecdn.microsoft.com%2Fsg%2F39168D7E-077B-48E7-872C-B232C3E72675%2FOffice%2FData%2Fv32.cab HTTP/1.1" 200 91 "-" "OfficeC2R"
2016-06-01T12:37:31+02:00 my-pfsense.mydomain.tld nginx: 10.x.3.77 - windowsdomain\ANONYMIZED [01/Jun/2016:12:37:31 +0200] "POST /index.php?zone=cpzone&redirurl=http%3A%2F%2Fmail.mydomain.tld%2FMicrosoft-Server-ActiveSync%3FUser%3Dtmd HTTP/1.1" 200 1706 "-" "Apple-iPhone5C4/1306.69"
2016-06-01T12:37:31+02:00 my-pfsense.mydomain.tld nginx: 10.x.3.77 - [ANONYMIZED@somedomain.tld] [01/Jun/2016:12:37:31 +0200] "POST /index.php?zone=cpzone&redirurl=http%3A%2F%2Foutlook.office365.com%2FMicrosoft-Server-ActiveSync%3FUser%3DANONYMIZED%40anotherdomain.tld HTTP/1.1" 200 1732 "-" "Apple-iPhone5C4/1306.69"
2016-06-01T12:37:31+02:00 my-pfsense.mydomain.tld nginx: 10.x.0.220 - - [01/Jun/2016:12:37:31 +0200] "GET /sg/39168D7E-077B-48E7-872C-B232C3E72675/Office/Data/v32.cab HTTP/1.1" 302 5 "-" "OfficeC2R"
2016-06-01T12:37:31+02:00 my-pfsense.mydomain.tld nginx: 10.x.0.220 - - [01/Jun/2016:12:37:31 +0200] "GET /index.php?zone=cpwifise&redirurl=http%3A%2F%2Fofficecdn.microsoft.com%2Fsg%2F39168D7E-077B-48E7-872C-B232C3E72675%2FOffice%2FData%2Fv32.cab HTTP/1.1" 200 91 "-" "OfficeC2R"
2016-06-01T12:37:31+02:00 my-pfsense.mydomain.tld nginx: 10.x.3.77 - windowsdomain\ANONYMIZED [01/Jun/2016:12:37:31 +0200] "POST /Microsoft-Server-ActiveSync?User=tmd&DeviceId=SIVSUP0CTD1D35QNSM4EF9J64C&DeviceType=iPhone&Cmd=Sync HTTP/1.1" 302 5 "-" "Apple-iPhone5C4/1306.69"
2016-06-01T12:37:31+02:00 my-pfsense.mydomain.tld nginx: 10.x.3.77 - [ANONYMIZED@somedomain.tld] [01/Jun/2016:12:37:31 +0200] "POST /Microsoft-Server-ActiveSync?User=[ANONYMIZED@somedomain.tld]&DeviceId=SIVSUP0CTD1D35QNSM4EF9J64C&DeviceType=iPhone&Cmd=Sync HTTP/1.1" 302 5 "-" "Apple-iPhone5C4/1306.69"
2016-06-01T12:37:31+02:00 my-pfsense.mydomain.tld nginx: 10.x.3.77 - windowsdomain\ANONYMIZED [01/Jun/2016:12:37:31 +0200] "POST /index.php?zone=cpzone&redirurl=http%3A%2F%2Fmail.mydomain.tld%2FMicrosoft-Server-ActiveSync%3FUser%3Dtmd HTTP/1.1" 200 1706 "-" "Apple-iPhone5C4/1306.69"
2016-06-01T12:37:31+02:00 my-pfsense.mydomain.tld nginx: 10.x.3.77 - [ANONYMIZED@somedomain.tld] [01/Jun/2016:12:37:31 +0200] "POST /index.php?zone=cpzone&redirurl=http%3A%2F%2Foutlook.office365.com%2FMicrosoft-Server-ActiveSync%3FUser%3DANONYMIZED%40anotherdomain.tld HTTP/1.1" 200 1732 "-" "Apple-iPhone5C4/1306.69"

These are my concerns:
1. Our syslog-server gets a lot of nginx logs containing upper layer information (http post etc) (may be normal to nginx, but its a new behaviour of pfSense).
2. nginx seems to log separetly from anything I configure in Settings under Logging in pfSense? (not confirmed every setting)
3. nginx creates another source hostname than the rest of the logs do -> logging destination gets affected (depending on your rsyslog configuration of course). ngninxt sets its logs' hostname source to hostname.domain.tld instead of just hostname for everything else.

It would be nice to be able to configure the nginx logging feature from GUI so that it matches what you need to be logged - and where.


Take care,
J.

7
Packages / Re: NRPE in pfsense 2.3
« on: May 16, 2016, 05:48:21 am »
Thank you. To be released any day now I guess. :)




8
Packages / Re: NRPE in pfsense 2.3
« on: May 02, 2016, 07:56:34 am »
Same here. Holding off update to 2.3 since Nagios checks are crucial in our environment. I try not to manually install any extras or packages that are not included since updating later on may brake any manual changes.

I hope someone, if not the original creator, will continue to develope NRPE further. It's been almost 3 years since last update.




9
Same problem here.

Happens a few times a week, seems random.
Services status still reports captiveportal as Up so the only chance to know if its down is if a client user is reporting or if you use external monitoring on the CP's http/https.



10
Swedish / Re: Flera WAN Adresser till Flera LAN
« on: April 16, 2015, 02:09:37 pm »
Hej!

Jag är en nybörjare på pfsense, men tänker ändå inte ge upp  8)

Det är så att vi har två fasta fiberlinor på 100/100 och till detta har vi köpt 25 ip adresser.
Jag har installerat pfsense på en fysisk server med 5st 1Gb/s nätverkskort, och vi vill nu ge några i vårt hus internet där dom får en egen fast ip.
Hur gör man ?

Min tanke är att kunderna får en egen brandvägg som levereras av oss, denna konfigureras då i förväg med en av dessa 25 adresserna.
Det jag vill kunna göra med pfsense är att styra hastigheten, och se till så att dom inte tankar ner från torrent sidor. samt stänga ner dom som inte betalar.

Har googlat men hittar ingen lösning!


Det är inga problem, skapa upp Interfacen som vanligt men se sedan till att välja rätt Gateway på varje LAN-Interface (vanligtvis blir det ju bara EN default gw).


11
Hello!

I manage a network with Cisco-switches where each the Cisco-switch inserts a DHCP Option 82 with the switch name + port number + VLAN to every DHCP Request made a client.
The purpose is to keep track where users connect. I have, with success, used this solution together with a standalone ISC DHCP server.
I'd like to do the same thing in pfSense.

In the standalone ISC DHCP-server I have this configured:

Code: [Select]
if exists agent.circuit-id
{
log ( info, concat( "Lease for ", binary-to-ascii (10, 8, ".", leased-address), " is connected to switch ",
substring( option agent.remote-id, 2, 9999), " port ",
binary-to-ascii (10, 8, "/", suffix ( option agent.circuit-id, 2)), " via VLAN ",
binary-to-ascii (10, 16, "", substring( option agent.circuit-id, 2, 2))));
}

Which results in these logs:

Code: [Select]
Apr 16 20:01:41 dhcp-1 dhcpd: Lease for 10.1.109.85 is connected to switch CISCO-SWITCH-1 port 1/38 via VLAN 7
Apr 16 20:01:41 dhcp-1 dhcpd: DHCPREQUEST for 10.1.109.85 from 00:6c:8f:00:6b:31 via 10.1.109.2
Apr 16 20:01:41 dhcp-1 dhcpd: DHCPACK on 10.1.109.85 to 00:6c:8f:00:6b:31 via 10.1.109.2


My questions:

1. Is it possible to do the same in pfSense DHCP-server via GUI (in the DHCP Option menu)?
2. If not - can I add configuration via shell, to /var/dhcpd/etc/dhcpd.conf, without it being flushed/reset by pfSense once DHCPD is started again?


Regards,
J.


Pages: [1]